OS X remote malware strikes Thunderbolt, hops hard drive swaps

BlackHat video Researchers Trammel Hudson and Xeno Kovah have built a self-replicating Apple firmware malware that can infect peripherals to spread to new computers.

The ThunderStrike 2 malware is the second iteration of the attack forged earlier this year and liberates the requirement for attackers to have physical access to machines.

Hudson says while his proof of concept is deliberately noisy, displaying a logo during boot, a real attack could be made surreptitious through virtualisation or system management mode.

"Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash," Hudson says.

"It can search the PCIe bus and look for removable Thunderbolt devices and write itself into their option ROMs.

"When the infected adapter is connected to a fresh laptop during system boot the option ROM is executed by EFI firmware before the kernel is started … and hooks the S3 resume scripted that will be executed when the system comes out of sleep mode."

Once installed Thunderstrike in the boot flash is "very difficult" to remove because it controls the system from the first executed command. Reinstalling the operating system or even replacing the hard drive will not remove it.

The infection of new Thunderbolt peripheral devices means a potential victim may even re-infect a replacement laptop.

Thunderstrike was revealed January as a then unmitigated attack targeting option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).

Apple issued a partial fix in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slow it down for those attackers lacking high levels of resources. ®